Updated Guideline for BaaS
On June 6th, The Fed, OCC, and FDIC jointly released an updated guideline for banks’ third party risk management.
This has been highly anticipated when regulators drummed up the beats around partnerships between banks and fintech/non-bank entities since last year.
It started with the OCC Chief’s speech in September, followed by the Treasury report in November, remarks from Fed officials in December, and enforcement actions against banks like Blue Ridge/Cross River.
The guideline does not relieve regulatory duties from small banks - “the guidance is relevant to all banking organizations”.
However, it does acknowledge that the risk management processes should consider “the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships”.
The guideline is “principles-based”. It does not mean to be prescriptive, but has details to cover all aspects of third party management.
📍The bank needs to evaluate the overall risk management capability of a third party.
📍The bank needs to have ongoing monitoring via reports, visits/meetings, and testing.
📍The bank needs to evaluate the risk associated with the volume and type of subcontractors a third party deploys.
📍When circumstances warrant, a regulator will examine the functions/operations a third party performs on behalf the bank and issue enforcement actions if necessary.
What does all of this mean?
As Uncle Ben told Peter Parker, "With great power comes great responsibility."
The bank/non-bank partnerships have gained strong growth in recent years. The collective critical scale warrants more prudent practices. Hence the updated guideline.
The risk management scope spreads over multiple parties, but it does not necessarily diminish the work for the bank.
Arguably it takes greater efforts - the bank needs to uncover information from its partners and manage their behaviors. Many such partners have limited history and have not dealt with financial products before.
Besides unmitigated regulatory duties, it requires operational resilience to manage the diverse partnerships, while the bank does not have the cross-sell synergy as a full-service bank.
The regulatory action signals the Banking-as-a-Service model begins to enter maturity.